NETWORK ARCHITECTURE
> cat /etc/network/topology.conf
graph TD
ISP["Internet"] --> MODEM["Cable Modem\nBridge Mode"]
MODEM --> GW["Gateway / Firewall\nRouter + Controller"]
GW --> SW["Core Switch\nManaged PoE - VLAN Trunking"]
SW --> AP1["Wireless APs\nSSID to VLAN Mapping"]
SW --> PI["Infrastructure Node\nDNS / VPN / ETL / WoL"]
SW --> SRV["Compute Server\nOn-Demand Power"]
SW --> NVR["Video Recorder\nAir-Gapped - No Internet"]
SW --> CAMS["Surveillance Cameras\nLocal Recording Only"]
AP1 --> WIFI_CLIENTS["Wireless Clients\nAssigned to VLAN by SSID"]
SW --> WIRED["Wired Clients\nAssigned to VLAN by Port"]
PI -.->|"Wake-on-LAN"| SRV
PI -.->|"DNS for all VLANs"| SW
style ISP fill:#0B0014,stroke:#FF6B35,color:#FF6B35
style GW fill:#0B0014,stroke:#00FFFF,color:#00FFFF
style SW fill:#0B0014,stroke:#00FFFF,color:#00FFFF
style PI fill:#0B0014,stroke:#39FF14,color:#39FF14
style SRV fill:#0B0014,stroke:#7B2FBE,color:#7B2FBE
style NVR fill:#0B0014,stroke:#FF0000,color:#FF0000
style CAMS fill:#0B0014,stroke:#FF0000,color:#FF0000
style AP1 fill:#0B0014,stroke:#FF00FF,color:#FF00FF
style WIFI_CLIENTS fill:#0B0014,stroke:#E8E8E8,color:#E8E8E8
style WIRED fill:#0B0014,stroke:#E8E8E8,color:#E8E8E8
style MODEM fill:#0B0014,stroke:#FF6B35,color:#FF6B35 | COMPONENT | ROLE | CRITICALITY |
|---|---|---|
| Gateway | Routing, firewall, VLAN isolation, controller | Critical |
| Core Switch | VLAN trunking, PoE for APs and cameras | Critical |
| Infrastructure Node | DNS (Pi-hole + Unbound), VPN, ETL, Wake-on-LAN | Critical |
| Wireless APs | SSID-to-VLAN mapping, wireless access | High |
| Compute Server | Media services, lab workloads, on-demand | Medium |
| Video Recorder | Local camera recording — air-gapped from internet | Medium |
Bridge Mode Modem
ISP modem runs in bridge mode — no double NAT, no ISP-controlled routing. The gateway handles all routing decisions, giving full control over traffic flow and firewall rules.
On-Demand Compute
The compute server draws significant power at idle. Rather than running 24/7, it's powered on via Wake-on-LAN from the infrastructure node — either on schedule, by manual trigger, or via API webhook. Media services are used episodically, so the server matches that usage pattern.
Air-Gapped Surveillance
Cameras and the video recorder have zero internet access by design. Footage stays on-premises. Remote viewing is only available through the VPN tunnel — never through cloud relay services.
Single Infrastructure Node
DNS, VPN, ETL, and power management all run on one always-on device. This is a deliberate tradeoff: single point of failure for non-critical services, but minimal power draw and operational simplicity for a home environment. The gateway continues routing if this node goes down — only DNS filtering and VPN access are affected.